Band of Botnet Busters Grounds Grum

The Grum botnet has been laid low by security researchers and law enforcement. Grum was a massive collection of tens of thousands of PCs, and it was responsible for a significant portion of the world's spam. Grum's unravelling may cause a temporary dip in spam levels, though some other botnet will likely take up the slack soon enough.

By Richard Adhikari
07/19/12 11:54 AM PT

A joint effort by antimalware company FireEye, law enforcement authorities and other antispam activists has taken down Grum, believed to be the world's third-largest botnet, accounting for nearly 20 percent of worldwide spam.

After three days of work, all of Grum's known command and control (CNC) servers are now dead, according to FireEye's Atif Mushtaq.

Grum had CNC servers in the Netherlands, Panama and Russia that were believed to control at least 100,000 infected PCs.

What Is Dead May Never Die but Rises Again Harder and Stronger

However, the reduction in spam may be short-lived.

"I would expect no more than a couple of weeks of relief," Randy Abrams, research director at NSS Labs, told TechNewsWorld. "However, consumers may notice little or no difference because most of the spam is blocked before it ever gets to their inbox or spam filters."

The elimination of Grum "doesn't mean the technology won't be reused someplace else or that a variant will show up later," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. "I'd bet that it or something like it will be back shortly, if it's not already back."

What's a Grum?

Every time you see a spam message for cheap pharmaceuticals, it was most likely sent out by Grum.

Grum "seems to be primarily pharma spam," Adam Wosotowsky, messaging data architect at McAfee Labs, told TechNewsWorld. "We've also seen replica spam and casino spam coming from it, as well as phishing and viruses." However, "there's a lot of overlap with other botnets, so it's not like Grum had a lot of individually unique stuff that only it was responsible for sending."

Grum seems to have been particularly hard to kill. McAfee's Q4 2011 threat report stated that Grum had made a significant comeback in 2011 after a long decline, surpassing the Bobax and Lethic botnets by the end of that quarter.

Some reports state Grum was also known as "Tedroo" but "different components are known by different names at different times," David Harley, senior research fellow at ESET, told TechNewsWorld. "It's not exactly an alias, but some AV vendors have used the name 'Tedroo' for the spambot."

How the Grumster Was Shut Down

Earlier this week, Dutch authorities took out two Grum CNC servers, which pumped spam instructions to the botnet's zombies, or infected PCs, FireEye said. However, the master CNC servers in Panama and Russia were still extant and the ISPs in Russia and Panama ignored abuse notifications FireEye sent them.

Then the ISP owning the server in Panama buckled under pressure applied by the community, FireEye reported. That got the bot herders -- the people behind the botnet -- directing the rest of the CNCs to new secondary servers in the Ukraine. They replaced the Dutch servers with six new ones in the Ukraine, which FireEye described as a safe haven for bot herders.

FireEye then shared this information with Spamhaus, CERT-GIB in Russia, and an anonymous researcher with the handle "Nova7." These three informed their contacts in the Ukraine and Russia, and by Wednesday the server in Russia and those in the Ukraine had been taken down.

The primary ISP for the Russian server, Gazinvestproekt, wasn't involved in that machine's takedown; their upstream provider had to do the job, FireEye said.

"Generally it requires full coordination to take down DNS hosting, CNC hosting and working with registrars to take over CNC domains," McAfee's Wosotowsky said. "All of those things tend to be spread over multiple countries in multiple time zones. You have to hit them all at the exact same time, or the botmaster will have time to take action to protect the botnet and get it up and running."

Lies, Damned Lies and Statistics

Grum was reportedly responsible for 18 percent of the world's spam. However, "the vast majority of spam is blocked by ISPs," NSS Labs' Abrams pointed out. "Metrics about the percentage of world spam are generally about what gets blocked the most, whereas users are interested in what keeps getting through the most."

The percentage of spam that any specific botnet is responsible for is "directly correlated to the markings on the dart board used to derive the estimates," Abrams continued. "When correlating figures on spam from different sources, there appears to be a 25 percent margin of error."